Risk Management Structure

Risks associated to business operations are managed under oversight from the board of directors, within the responsibilities mandated to our division companies, Headquarters Management Committee (HMC), and relevant committees.

ITOCHU has established internal committees and responsible departments in order to address the various risks associated with the Group's business operations, such as market risk, credit risk, country risk, and investment risk. At the same time, on a Group basis ITOCHU has developed the risk management systems and methods to manage various risks individually and on a companywide basis. Those include a range of management regulations, investment criteria, risk exposure limits, and transaction limits, as well as reporting and monitoring systems. Moreover, ITOCHU regularly reviews the effectiveness of its risk management systems and reports on results and findings to the board of directors.

At the Group level, ITOCHU's structural approach to risk management is overseen by the President and Chief Operating Officer (COO) and the Board of Directors and aims to ensure timely and sound executive decision making. The HMC, which is chaired by the President and COO and comprised of the Chairman and Chief Executive Officer (CEO) and other executives appointed by the President and COO, is the committee that sits at the highest level regarding our risk management system. Subsequent committees that report up to the HMC, also referred to as Principal Internal Committees, which include the Internal Control Committee, Disclosure Committee, ALM Committee, Compliance Committee, Sustainability Committee, and Investment Consultative Committee, are responsible for identifying and addressing risks and incidents in their respective fields.

The Sustainability Committee, one of the Principal Internal Committees introduced above, is tasked to promote sustainability in the ITOCHU Group's company-wide risk management. The Committee manages operational ESG risks such as human rights risks, health and safety risks, climate risks, and natural disaster risks, as well as ESG risks related to investments. The Committee cooperates with other Committees as necessary and makes decisions on policies and initiatives to address ESG risks and operational improvements to further mainstream sustainability concerns in our risk management culture. Activities and findings are compiled by the Committee and reported to the Board of Directors annually.

At the individual Company level, each Company's President reports to the Division Company Management Committee (DMC), an advisory body to the Companies. The DMC deliberates on important issues such as those regarding investments, lending, assurance, and business management that have the potential to substantially impact the management of each company. If the risks identified or escalated exceed beyond the responsibilities mandated to the DMC, depending on the gravity of the risk and upon deliberation with other committees as necessary, risk issues may be escalated to the HMC and/or the Board of Directors.

ITOCHU is a company with Audit & Supervisory Board Members and endeavors to strengthen the monitoring/supervising function and ensure the transparency of decision making by having the Audit & Supervisory Board Members (including outside Audit & Supervisory Board Members) fully monitor corporate management. Auditors are therefore independent from the Committees within our risk management structure, including the HMC, but do attend Committees to perform their monitoring/supervising responsibilities. The executives chairing each respective Committee is also required to report to the HMC and/or the President and COO as necessary. The Audit Department directly under COO and other corporate staff departments oversee risks and our group-wide approach to managing risks as assigned within their mandated responsibility, and are also required to support the HMC and their subsequent Committees.

• Organization chart regarding the ITOCHU Group's corporate governance structure and internal controls system
• Overview of ITOCUH Group's main internal committees

With the business environment being filled with rapid changes and uncertainty, the ITOCHU Group recognizes the importance of predicting and preparing for various eventualities. As such, we create and analyze various risk scenarios regarding the various elements of the macroeconomic environment, such as political, legal, economic, socioeconomic, and technological factors, and consider relevant future impacts in our management planning.

Please see here for our non-financial capital PEST analysis reported in the Integrated Report.

Risk Management

Risk Capital Management^*1 and Management of Concentration Risk

Risk Assets^*2 and Risk Buffer

1. The cost of shareholders' equity set at 8%
2. Risk Asset = Total shareholders' equity + Non-controlling interests

Strict Management of Risk Assets

Our basic operational policy involves first calculating risk assets based on the maximum amount of possible future losses from all assets on the balance sheet including investments and all off-balance-sheet transactions. Second, we manage the amount of risk assets within the limits of our risk buffer (Total shareholders' equity + Non-controlling interests). As we promote investments that will lead to evolve existing business moving forward, we will work to maintain risk assets within the limits of our risk buffer, conduct strict risk management, and further strengthen our financial position.

Business Investment Management

Fundamental Approach

Along with strategic business alliances, business investment is an important means of creating new businesses. To actively promote strategic investments in areas of strength in a timely manner, we choose the optimal structure from a wide range of methods, such as establishing a wholly owned subsidiary, implementing joint investment with partners, and participating in management through M&As or converting to a consolidated subsidiary.
In principle, we hold investments continuously. After making each investment, we work to maximize the investee's corporate value and to expand trading profit and dividends received by fully utilizing our Groupwide capabilities. Given such considerations as larger-scale investments in recent years, we are rigorously screening the appropriateness of the business plan and acquisition price. For existing investments, to increase investment earnings and to exit quickly from low-efficiency assets, we are further strengthening monitoring procedures, centered on instituting more rigorous exit criteria and thoroughly implementing periodic investment review.

Decision-Making Process for New Investments

A multilayered decision-making process that achieves quick decision-making by giving a certain level of discretion to the Division Companies while striving to pursue investment return and curb investment risk.

Business Investment Process

Starting with the impact of COVID-19, the business environment changed dramatically in FYE 2021.
Against this background, we steadily implemented strategic investment at the right time and divested businesses which are less efficient or past the peak.
We cleared up business concerns and further strengthened our economy-resilient earnings base.
At the same time, we strictly implemented various processes, including the verification of the validity of business plans at the time of investment decisions, and meticulously monitored those decisions after investing. This allowed us to maintain a high ratio of profit-making group companies at 82.4%.

Number of Consolidated Subsidiaries and Share of Group Companies Reporting Profits

Security Risk Management

Policy and Basic Concept

The ITOCHU Group aims to reduce and avoid information and data security risks by taking a structured approach to ensure a high level of information security. The Information Security Policy is communicated to all of our executives and employees and serves as the overarching policy that guides our information management initiatives. We have also established the Information Management Code, which includes a code of conduct specific to information and data security to which our executives and employees must comply to. More specifically, rules and standards are strictly set regarding the management of personal information, documents, and IT security to prevent information leakage and breaches.

Structures and Systems

Name	Chairman	Objectives
IT Strategy Council	CDO・CIO	Deliberates regarding IT Strategy (Annual IT Strategic Plan, etc.)

Initiatives

ITOCHU has formulated a company-wide information strategy for digital transformation (DX) and data-driven managementｔ and is aiming for IT-based management. In order to ensure a high level of information security that supports these management foundations, we continue to take thorough measures for crisis management, including the establishment of security guidelines, the expansion of security infrastructure, and the strengthening of technical security measures for malware, etc.

We routinely collect the latest information regarding potential cyber threats by analyzing system logs and malware. Additionally, when incidents do occur, we respond instantly by investigating their causes, discussing possible countermeasures, and restoring services. This is done by the ITOCHU Computer Emergency Readiness, Response & Recovery Team (ITCCERT) – a cyber security team whose members are senior cyber security analysts. In FYE 2018, we established ITCCERT space in our IT & Digital Strategy Division to further enhance security countermeasures across the entire Group and to develop security personnel. We also provide training programs to develop technicians proficient in cyber security. There are few examples of user companies in Japan that are working as actively as we are to develop systems and respond to information security risk. Moving forward, we plan to maintain these initiatives and make enhancements where necessary to ensure sustainable growth that is free from cyber threats.

We periodically engage in the training programs listed below to maintain and improve our information security program.

• We give training to all employees on how to identify and respond to targeted e-mail attacks twice a year.
• All global employees including those in group companies are subject to a mandatory, simultaneous e-learning course on information security, which is held every three years.
• Several times a year, the ITCCERT leads an internal cyber security workshop for the ITOCHU Group companies.
• Policies regarding information security and the management of personal information are required to be communicated to employees upon hiring. If amendments or updates are made to these policies, all executives and employees receive a notification of the changes made. Employees are also updated on such amendments in their periodic e-learning trainings.

Cyber security is especially important to us given that our BCP is supplemented by IT solutions which have enabled us to maintain business operations during the COVID-19 pandemic. Such IT solutions include our adoption of thin clients in all of our internal computers, WEB-based teleconferencing systems, and cloud systems. We ensure that cyber security is monitored in these systems by requiring that all company-wide services and tools are subject to prior assessments.